ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard
verified publisher icon chakra-core

Assertion Error in `CopyWithinHelper`

Open bin2415 opened this issue 4 years ago • 1 comments

PoC:

function main() {
const v2 = Array(4294967295);
const v3 = v2.copyWithin();
}
main();

backtrace:

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
    frame #0: 0x0000000103084441 libChakraCore.dylib`Js::JavascriptArray::CopyWithinHelper(pArr=0x0000000907a274c0, typedArrayBase=0x0000000000000000, obj=0x0000000907a274c0, length=4294967295, args=0x00007ffeefbfb6e8, scriptContext=0x0000000101819058) at JavascriptArray.cpp:9481:13
   9478	        {
   9479	            Assert(fromVal < MaxArrayLength);
   9480	            Assert(toVal < MaxArrayLength);
-> 9481	            Assert(direction == -1 || (fromVal + count < MaxArrayLength && toVal + count < MaxArrayLength));
   9482
   9483	            uint32 fromIndex = static_cast<uint32>(fromVal);
   9484	            uint32 toIndex = static_cast<uint32>(toVal);
Target 0: (ch) stopped.
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x0000000103084441 libChakraCore.dylib`Js::JavascriptArray::CopyWithinHelper(pArr=0x0000000907a274c0, typedArrayBase=0x0000000000000000, obj=0x0000000907a274c0, length=4294967295, args=0x00007ffeefbfb6e8, scriptContext=0x0000000101819058) at JavascriptArray.cpp:9481:13
    frame #1: 0x000000010308349c libChakraCore.dylib`Js::JavascriptArray::EntryCopyWithin(function=0x0000000907a84e40, callInfo=(Count = 1, Flags = CallFlags_Value, unused = 0)) at JavascriptArray.cpp:9348:16
    frame #2: 0x000000010344d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #3: 0x00000001031062db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x0000000907a84e40, entryPoint=(libChakraCore.dylib`Js::JavascriptArray::EntryCopyWithin(Js::RecyclableObject*, Js::CallInfo, ...) at JavascriptArray.cpp:9334), args=Arguments @ 0x00007ffeefbfb828, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #4: 0x0000000102e6c07a libChakraCore.dylib`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfca30, playout=0x00000009077730ed, function=0x0000000907a84e40, flags=2, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3988:54
    frame #5: 0x0000000102e6b971 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfca30, playout=0x00000009077730ed, function=0x0000000907a84e40, flags=0, profileId=1, inlineCacheIndex=0, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
    frame #6: 0x0000000102d44dd8 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x00007ffeefbfca30, playout=0x00000009077730ed)0> > > const __unaligned*) at InterpreterStackFrame.h:520:115
    frame #7: 0x0000000102d398f6 libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007ffeefbfca30) at InterpreterHandler.inl:91:3
    frame #8: 0x0000000102cd38f4 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00007ffeefbfca30) at InterpreterStackFrame.cpp:3472:20
    frame #9: 0x0000000102cd23fc libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000009077c6730, args=ArgumentReader @ 0x00007ffeefbfcf30, returnAddress=0x0000000907a60f9a, addressOfReturnAddress=0x00007ffeefbfcf78, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40
    frame #10: 0x0000000102cd1480 libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterThunk(layout=0x00007ffeefbfcf90) at InterpreterStackFrame.cpp:1833:16
    frame #11: 0x0000000907a60f9a
    frame #12: 0x000000010344d15e libChakraCore.dylib`amd64_CallFunction at JavascriptFunctionA.S:100
    frame #13: 0x00000001031062db libChakraCore.dylib`void* Js::JavascriptFunction::CallFunction<true>(function=0x00000009077c6730, entryPoint=(libChakraCore.dylib`NativeCodeGenerator::CheckCodeGenThunk(Js::RecyclableObject*, Js::CallInfo, ...)), args=Arguments @ 0x00007ffeefbfd0c0, useLargeArgCount=false)(Js::RecyclableObject*, Js::CallInfo, ...), Js::Arguments, bool) at JavascriptFunction.cpp:1364:16
    frame #14: 0x0000000102e6be7f libChakraCore.dylib`void Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfe290, playout=0x000000090776cdd0, function=0x00000009077c6730, flags=16, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:3973:21
    frame #15: 0x0000000102e6b971 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfileCallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > > __unaligned>(this=0x00007ffeefbfe290, playout=0x000000090776cdd0, function=0x00000009077c6730, flags=0, profileId=0, inlineCacheIndex=0, spreadIndices=0x0000000000000000)0> > > __unaligned const __unaligned*, Js::RecyclableObject*, unsigned int, unsigned short, unsigned int, Js::AuxArray<unsigned int> const*) at InterpreterStackFrame.cpp:4016:9
    frame #16: 0x0000000102d44dd8 libChakraCore.dylib`void Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<(Js::LayoutSize)0> > >(this=0x00007ffeefbfe290, playout=0x000000090776cdd0)0> > > const __unaligned*) at InterpreterStackFrame.h:520:115
    frame #17: 0x0000000102d398f6 libChakraCore.dylib`Js::InterpreterStackFrame::ProcessProfiled(this=0x00007ffeefbfe290) at InterpreterHandler.inl:91:3
    frame #18: 0x0000000102cd38f4 libChakraCore.dylib`Js::InterpreterStackFrame::Process(this=0x00007ffeefbfe290) at InterpreterStackFrame.cpp:3472:20
    frame #19: 0x0000000102cd23fc libChakraCore.dylib`Js::InterpreterStackFrame::InterpreterHelper(function=0x00000009077c66e0, args=ArgumentReader @ 0x00007ffeefbfe780, returnAddress=0x0000000907a60fa2, addressOfReturnAddress=0x00007ffeefbfe7c8, asmJsReturn=0x0000000000000000) at InterpreterStackFrame.cpp:2153:40

How to reproduce it:

- ./build.sh -d -j
- ./ch test.js

bin2415 avatar Apr 09 '21 16:04 bin2415

I think this is just a wrong assertion (out by 1).

rhuanjl avatar Apr 09 '21 18:04 rhuanjl